Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configuring SAML in a search head cluster

You can configure SAML on a search head that does or does not use a load balancer. For authentication requests to be signed (recommended), you must use the same signing certificate on all search head members in the cluster.

Every search head in the cluster must have the public key of the IdP. Splunk uses this key to verify the signature of the SAML authentication response. When you use SplunkWeb to configure SAML, the public key from metadata is automatically set to replicate to Search.

1. Generate a public/private key pair.

2. Concatenate the generated key pair into one pem file. This file is used for signing authentication requests going out from Splunk. Concatenate in the following order:

  • Public key is self signed:
    • Private key
    • Public key
  • Public key is signed by a intermediate/rootCA:
    • Private key
    • Public key
    • Issuers of PublicKeys. Should match the order in that the certificate issuers present.
    • root CA.

3. Replicate the new certificate file to the location relative to $SPLUNK_HOME on each search head. Make sure to give the certificate the same name on all search heads. For example:

$SPLUNK_HOME/etc/auth/samlRequestSigningCerts/samlRequestSigningCert.pem

4. Edit the Splunk metadata: In the <X509Certificate> file, swap the public key in the metadata with the public key from the new certificate. Then remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.

5. Configure your IdP using the Splunk metadata. See the instructions for your IdP.

6. Collect your IdP metadata and use it to configure Splunk. Previous steps created a SAML-related configuration in $SPLUNK_HOME/etc/system/local/authentication.conf.

Note: To enable seamless Single Logout, we recommend that you configure search head members to all have same entityID.

7. Add the path to the ClientCert parameter in authentication configuration:

clientCert = $SPLUNK_HOME/etc/auth/samlRequestSigningCerts/samlCert.pem)

8. If the private key you created in step 1. is encrypted and you set up a password for the private key sslPassword = <password for private key> then you must repeat steps ABC for all search head members.

9. Reload authentication on all search heads to implement your changes.

10. To validate your configuration, log in to each search head individually to ensure all search heads are using the same key for signing authentication requests and that the IdP is configured with the right cert for verifying signature of the request.

Last modified on 27 October, 2021
Secure SSO with TLS certificates   Configure Ping Identity with leaf or intermediate SSL certificate chains

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters